When an EC2 (Amazon's Elastic Compute Cloud) instance is stopped and started again, a new hostname is assigned to the instance. New TLS certificates need to be generated to match the new hostnames. The following covers how to Regenerate TLS Keys and Certificates and also how to Regenerate EJBCA SuperAdmin Keystore, which is useful if you lose the SuperAdmin keystore, or if it expires.

Regenerate TLS Keys and Certificates

EJBCA

The following describes how to generate new TLS certificates on the EJBCA Cloud instance. For more information, refer to the AWS TLS Certificate Generation Guide and Azure TLS Certificate Generation Guide.

  1. SSH to the EJBCA server instance. For example:

    ssh -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com
    CODE
  2. Run the following commands to generate new certificates:

    # sudo su -
    # cd /opt/PrimeKey/support
    # ./new_tls_cert.sh -p
    CODE

SignServer

The following describes how to generate new TLS certificates on the SignServer Cloud instance. For more information, refer to the AWS TLS Certificate Generation Guide.

To generate new TLS certificates:

  1. SSH to the EJBCA instance. For example:

    ssh -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com
    CODE
  2. Run the following commands to get elevated privileges and change to the correct directory:

    # sudo su -
    # cd /opt/PrimeKey/support
    CODE
  3. Execute the script create_ra_tls_certs.sh with the DNS and IP information for the SignServer server instance, specifying the external DNS, internal DNS, external IP, and internal IP according to the following example:

    # ./create_ra_tls_certs.sh -d ec2-13-48-31-155.eu-north-1.compute.amazonaws.com -d ip-172-16-2-38.ec2.internal -i 13.48.31.155 -i 172.16.2.38
    CODE
  4. Copy the generated PEM files from /home/ec2-user/pem/ on the EJBCA instance to /etc/httpd/ssl on the SignServer instance.
    Note that it is also possible to use a third-party program to copy the files from server to server.

    mkdir signserverpem
    CODE

    From EJBCA:

    scp -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com:/home/ec2-user/pem/* signserverpem/.
    CODE

    To SignServer:

    scp -i ~/.ssh/your-public-key.pem signserverpem/* ec2-user@ec2-13-48-31-155.eu-north-1.compute.amazonaws.com:. 
    CODE
  5. SSH to the SignServer instance:

    ssh -i ~/.ssh/your-public-key.pem ec2-user@ec2-13-48-31-155.eu-north-1.compute.amazonaws.com
    CODE

    On SignServer:

    cp *.pem /etc/httpd/ssl/.
    cp *.key /etc/httpd/ssl/. 
    CODE
  6. Restart the Apache service:

    # sudo -i
    # systemctl restart httpd
    CODE

Regenerate EJBCA SuperAdmin Keystore

The following describes how to generate a new superadmin keystore which is useful if you lose the superadmin keystore, or if it expires.

To generate a new superadmin keystore using the CLI:

  1. Renew superadmin certificate:

    # cd /opt/ejbca
    # bin/ejbca.sh ra setendentitystatus superadmin 10
    # bin/ejbca.sh ra setclearpwd superadmin password
    # bin/ejbca.sh batch
    CODE
  2. Copy the  /opt/ejbca/p12/superadmin.p12 to local server and import it in your browser (using password: password):

    # scp -i /route/to/your/pem-file.pem ec2-user@ec2-13-53-44-197.eu-north-1.compute.amazonaws.com:/opt/ejbca/p12/superadmin.p12 /directory/you/want-to/download
    CODE
  3. Verify that you can access EJBCA Adminweb with the new superadmin certificate.